Definition of Powerful Features

[torgo]

Hi folks - this is in reference to our design principles issue which is about harmonizing what we say in design principles with what you're saying here - to avoid confusion and make sure we're in sync. In §3.3 of your doc you state:

A powerful feature is a web platform feature (usually an API) for which a user gives express permission before the feature can be used."

We say in §2.2 of design principles

Some powerful APIs can produce intrusive UI (eg. auto-playing audio), expose user data (eg. interacting with the clipboard), perform a background activity without an obvious indicator to the user (eg. accessing local storage), or prompt the user to interact with trusted UI (eg. permission prompts, device hardware features). These APIs should be designed to require some indication of user intention (such as user activation) in order to function. This indicates that the user is intentionally interacting with the web page in question.

Do y'all agree that this is a good definition of powerful features? Could we coalesce on one definition which we could both reference? Also we are saying "user activation" and you're saying "express permission". Maybe this indicates there are two different levels of powerful features we're talking about? Or should design principles strengthen our recommendation to also recommend express permission?

[annevk]

I wonder if there's a better term that can be used to describe these than "powerful". For instance, SharedArrayBuffer doesn't fit this definition, yet it is definitely considered quite powerful and adding it in a secure fashion required a lot of web platform integration work.

[jyasskin]

Overall, +1 to unifying the definitions. The one here is primarily just so we had a term for "features that need permission".

Some history:

• The term was originally used in https://www.w3.org/TR/2014/WD-powerful-features-20141204/#powerful-feature and was taken out in w3c/webappsec-secure-contexts@e42072e.
• I added it to this spec in Give the UA permission to return anything it wants from query(). #97, where I defined it as "A feature of a UA that some code might not be allowed to access, for example because its environment settings object doesn't satisfy some criteria, or because the user hasn't given permission." That cites https://www.w3.org/2016/06/08-webappsec-minutes.html, but I couldn't find the discussions on what term to use.
• The narrowing to only cover features that require permission happened in f439e85 with no linked review or discussion. @marcoscaceres, am I missing a place where people got to weigh in on whether the narrower definition was an improvement?

I think there's a useful distinction between the sort of features that Permissions and Design Principles are talking about, and features like SharedArrayBuffer which aren't supposed to expose the user's information but that do require care in their design to make sure that goal is achieved. I've always felt that "powerful" isn't quite the right word, but it's always been the best we could come up with.